There are a myriad of testing and assessment techniques for validating various properties of software applications and network implementations. However, one of the most critical processes for ensuring that the deployment of software does not expose an organization to unacceptable risks is security and vulnerability testing. Some of the conventional techniques used to perform such testing includes static analysis (automated code review), dynamic analysis (automated penetration testing) and manual analyses such as code review, design review, and manual penetration testing. All of these analysis techniques are aimed at finding security weaknesses and vulnerabilities in an application and typically provided in report format to the programmers, product managers and quality assurance (QA) staff. The report can provide detailed results (e.g., program names, line numbers, variable names, data connections, etc.) as well as a summary of the results. The report may be a conventional document such as a text file or a structured XML file.
To assist developers in steering clear of many of the well-know pitfalls, system security professionals have developed, over time, a number of best practices. These best practices are typically published as documents, text books, wiki pages or other reference materials. The best practices can include, for example, adherence to certain secure coding standards, use of enhanced-security code libraries, avoidance of code constructs or libraries known to be risky, etc.
There are a number of tools that attempt to identify potential or actual security problems in application code, thus providing “negative feedback” to the developers on suspect and, in some cases, suggesting potential steps to improve the code. However, to date there have not existed any automated mechanisms for explicitly identifying the developer's affirmative use of more-secure best practices, or of providing “positive feedback” to the developer on their coding. As such, developers who implement certain well-designed coding or design techniques may not fully benefit from a comprehensive knowledge base regarding particular best practices.
The foregoing examples of the related art and limitations related therewith are intended to be illustrative and not exclusive. Other limitations of the related art will become apparent upon a reading of the specification and a study of the drawings.